In the previous article, we have created a RESTful API on top of ReactPHP HTTP server. Now we want to protect our API and add authentication. When it comes to securing a RESTful API things became interesting because a truly RESTful API should remain stateless. It means that the server doesn’t store sessions, all the information that the server needs to handle each request should be contained in the request itself.
Basic HTTP Authentication
Basic authentication is the type of HTTP authentication, in which login credentials are sent along with the headers of the request.
The client requests a protected URL and the server responses with
401 Not Authorized code. In return, the client sends back the same request but with login credentials as a base64-encoded string in format
username:password. This string is being sent via the
Authorization header as the following:
For example, if the username is
user and password is
secret, the following header will be sent within the request:
To enable Basic HTTP Authentication in ReactPHP HTTP server we can use a PSR-15 middleware for it:
But still, it is not enough. We can’t use plain PSR-15 middleware with ReactPHP server, instead, we should use PSR15Middleware adapter:
Now, we are ready to make our RESTful API secure. Instantiate a PSR-15
BasicAuthentication middleware and provide credentials:
Here we have a middleware that supports only one user. Then we need to wrap it in a special ReactPHP adapter:
PSR15Middleware constructor requires an event loop, a class of the middleware being wrapped, and an array of constructor parameters for this middleware.
Now, we can use this wrapped middleware inside the server. Place
$basicAuth before the router. It is important because if the authentication failed, there is no need to dispatch the route:
Done. From now, to get access to our API the client should provide
Authorization header. For example, for our credentials it will be the following value:
If you try to request any route without
Authorization you will receive
Basic HTTP authentication is probably the quickest and easiest way to add to protect your REST API. It does not require cookies, session, login pages, or any other solutions, and because it uses the HTTP header itself, there’s no need to handshakes or other complex response systems. Looks simple, right? But there are some drawbacks of using HTTP Basic authentication:
- the username and password are sent with every request and thus can be potentially exposed
- expiration of credentials is not trivial
So, this authentication method shouldn’t be used on an open network since base64-encoded string can be easily decoded.
Further Reading: in the next article we will cover another solution to protect our RESTful API - JWT Authentication.
You can find examples from this article on GitHub.
This article is a part of the ReactPHP Series.